---
id: security
title: Security
---
Any HTML generated by KaTeX *should* be safe from `<script>` or other code
injection attacks.

Of course, it is always a good idea to sanitize the HTML, though you will need
a rather generous whitelist (including some of SVG and MathML) to support
all of KaTeX.

Use `maxSize` option for preventing large width/height visual affronts,
use `maxExpand` for preventing infinite macro loop attacks, and
use `allowedProtocols` for preventing certain protocols in `\href`. Please
refer to [Options](options.md) for more details.

The error message thrown by KaTeX may contain unescaped LaTeX source code.
See [Handling Errors](error.md) for more details.

> If you discovered a security issue, please let us know via https://hackerone.com/khanacademy
